Home > Articles

  • Print
  • + Share This
This chapter is from the book

Working with Permissions

Under Linux (and UNIX), everything in the file system, including directories and devices, is a file. And every file on your system has an accompanying set of permissions based on ownership. These permissions provide data security by giving specific permission settings to every single item denoting who may read, write, or execute the file. These permissions are set individually for the file’s owner, for members of the group the file belongs to, and for all others on the system.

You can examine the default permissions for a file you create by using the umask command, which lists default permissions using the number system explained next, or by using the touch command and then the ls command’s long-format listing, like this:

matthew@seymour:~$ touch file
matthew@seymour:~$ ls -l file
-rw-r--r-- 1 matthew matthew 0 2015-06-30 13:06 file

In this example, the touch command quickly creates a file. The ls command then reports on the file, displaying the following (from left to right):

  • The type of file created—Common indicators of the type of file are in the leading letter in the output. A blank (which is represented by a dash, as in the preceding example) designates a plain file, d designates a directory, c designates a character device (such as /dev/ttyS0), and b is used for a block device (such as /dev/sda).

  • Permissions—Read, write, and execute permissions may be assigned for the owner, group, and all others on the system. (You learn more about these permissions later in this section.)

  • Number of links to the file—The number 1 designates that there is only one file, and any other number indicates that there might be one or more hard-linked files. Links are created with the ln command. A hard-linked file is an exact copy of the file, but it might be located elsewhere on the system. Symbolic links of directories can also be created, but only the root operator can create a hard link of a directory.

  • The owner—This is the account that owns the file; it is originally the file creator, but you can change this designation by using the chown command.

  • The group—This is the group of users allowed to access the file; it is originally the file creator’s main group, but you can change this designation by using the chgrp command.

  • File size and creation/modification date—The last two elements indicate the size of the file in bytes and the date the file was created or last modified.

Assigning Permissions

Under Linux, permissions are grouped by owner, group, and others, with read, write, and execute permission assigned to each, as follows:

Owner    Group    Others
rwx      rwx      rxw

Permissions can be indicated by mnemonic or octal characters. Mnemonic characters are listed here:

  • r indicates permission for an owner, a member of the owner’s group, or others to open and read the file.

  • w indicates permission for an owner, a member of the owner’s group, or others to open and write to the file.

  • x indicates permission for an owner, a member of the owner’s group, or others to execute the file (or read a directory).

In the previous example for the file named file, the owner, matthew, has read and write permission. Any member of the group named matthew may only read the file. All other users may only read the file. Also note that default permissions for files created by the root operator (while using sudo or a root account) will differ because of umask settings assigned by the shell.

Many users prefer to use numeric codes, based on octal (base 8) values, to represent permissions. Here’s what these values mean:

  • 4 indicates read permission

  • 2 indicates write permission

  • 1 indicates execute permission

In octal notation, the previous example file has a permission setting of 644 (read + write or 4 + 2, read-only or 4, read-only or 4). Although you can use either form of permissions notation, octal is easy to use quickly when you visualize and understand how permissions are numbered.

Directory Permissions

Directories are also files under Linux. For example, again use the ls command to show permissions, like this:

matthew@seymour:~$ mkdir directory
matthew@seymour:~$ ls -ld directory
drwxr-xr-x  2 matthew  matthew  4096 2015-06-30 13:23 directory

In this example, the mkdir command is used to create a directory. The ls command, with its -ld option, is used to show the permissions and other information about the directory (not its contents). Here you can see that the directory has permission values of 755 (read + write + execute or 4 + 2 + 1, read + execute or 4 + 1, and read + execute or 4 + 1).

This shows that the owner can read and write to the directory and, because of execute permission, also list the directory’s contents. Group members and all other users can list only the directory contents. Note that directories require execute permission for anyone to be able to view their contents.

You should also notice that the ls command’s output shows a leading d in the permissions field. This letter specifies that this file is a directory; normal files have a blank field in its place. Other files, such as those specifying a block or character device, have a different letter.

For example, if you examine the device file for a Linux serial port, you see the following:

matthew@seymour:~$ ls -l /dev/ttyS0
crw-rw---- 1 root dialout 4, 64 2015-06-30 08:13 /dev/ttyS0

Here, /dev/ttyS0 is a character device (such as a serial communications port and designated by a c) owned by root and available to anyone in the dialout group. The device has permissions of 660 (read + write, read + write, no permission).

On the other hand, if you examine the device file for an IDE hard drive, you see this:

matthew@seymour:~$ ls -l /dev/sda
brw-rw-- -- 1 root disk 8, 0 2015-06-30 08:13 /dev/sda

In this example, b designates a block device (a device that transfers and caches data in blocks) with similar permissions. Other device entries you will run across on your Linux system include symbolic links, designated by s.

Altering File Permissions with chmod

You can use the chmod command to alter a file’s permissions. This command uses various forms of command syntax, including octal or a mnemonic form (such as u, g, o, or a and rwx, and so on) to specify a desired change. You can use the chmod command to add, remove, or modify file or directory permissions to protect, hide, or open up access to a file by other users (except for the root account or a user with super user permission and using sudo, either of which can access any file or directory on a Linux system).

The mnemonic forms of chmod’s options are (when used with a plus character, +, to add, or a minus sign, -, to remove):

  • u—Adds or removes user (owner) read, write, or execute permission

  • g—Adds or removes group read, write, or execute permission

  • o—Adds or removes read, write, or execute permission for others not in a file’s group

  • a—Adds or removes read, write, or execute permission for all users

  • r—Adds or removes read permission

  • w—Adds or removes write permission

  • x—Adds or removes execution permission

For example, if you create a file, such as a readme.txt, the file has the following default permissions (set by the umask setting in /etc/bashrc, covered in the next section):

-rw-r--r-- 1 matthew matthew 0 2015-06-30 13:33 readme.txt

As you can see, you can read and write the file. Anyone else can only read the file (and only if it is outside your home directory, which will have read, write, and execute permission set only for you, the owner). You can remove all write permission for anyone by using chmod, the minus sign (-), and aw, as follows:

matthew@seymour:~$ chmod a-w readme.txt
matthew@seymour:~$ ls -l readme.txt
-r--r--r-- 1 matthew matthew 0 2015-06-30 13:33 readme.txt

Now, no one can write to the file (except you, if the file is in your /home or /tmp directory because of directory permissions). To restore read and write permission for only you as the owner, use the plus sign (+) and the u and rw options, like so:

matthew@seymour:~$ chmod u+rw readme.txt
matthew@seymour:~$ ls -l readme.txt
-rw-r--r-- 1 matthew matthew 0 2015-06-30 13:33 readme.txt

You can also use the octal form of the chmod command (for example, to modify a file’s permissions so that only you, the owner, can read and write a file). Use the chmod command and a file permission of 600, like this:

matthew@seymour:~$ chmod 600 readme.txt
matthew@seymour:~$ ls -l readme.txt
-rw------- 1 matthew matthew 0 2015-06-30 13:33 readme.txt

If you take away execution permission for a directory, files might be hidden inside and may not be listed or accessed by anyone else (except the root operator, of course, who has access to any file on your system). By using various combinations of permission settings, you can quickly and easily set up a more secure environment, even as a normal user in your /home directory.

File Permissions with umask

When you create a file, it is created with a default set of permissions. You can view and modify the default permissions for files with umask, which works like a filter. When a file is created by a user account, whether that account is owned by a human like matthew or a process like init, the file will be created using specific permissions.

The numbers we used above when discussing file permissions are also used with umask, but with an interesting change. Now, the numbers defined in umask are subtracted from the ultimate file permissions. So, if you wanted all new files to be created with a default permission of 777, you would type this:

matthew@seymour:~$ umask 000

Of course, you would never want to have all your files accessible by default because that would be incredibly insecure and unsafe. The default umask is 022, which means that files are created by default with 755 permissions, except in your /home directory where the umask is 002 and files are created with 775.

To find the current umask setting, use this:

matthew@seymour:~$ umask

This may list four digits instead of three. If so, don’t be confused. The additional digit is the first one; it is explained later in this chapter, in the section “Understanding Set User ID, Set Group ID, and Sticky Bit Permissions.”

To change the umask setting—for example, if you wanted the default to be 740—use the following:

matthew@seymour:~$ umask 037

File Permissions with chgrp

You can use the chgrp command to change the group to which a file belongs:

matthew@seymour:~$ chgrp wheel filename

Changing File Permissions with chown

You can use the chown command to change the owner of a file:

matthew@seymour:~$ chown matthew filename

You can also use the chown command to change the group of a file at the same time:

matthew@seymour:~$ chown matthew:wheel filename

Understanding Set User ID, Set Group ID, and Sticky Bit Permissions

The first two of the three listed types of permission are “set user ID,” known as suid, and “set group ID,” or sgid. These settings, when used in a program, enable any user running that program to have program owner or group owner permissions for that program. These settings enable the program to be run effectively by anyone, without requiring that each user’s permissions be altered to include specific permissions for that program.

One commonly used program with suid permissions is the passwd command:

matthew@seymour:~$ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 42856 2015-01-26 10:09 /usr/bin/passwd

This setting allows normal users to execute the command (as root) to make changes to a root-only-accessible file /etc/passwd.

By default, suid and sgid are turned off on files. To set them, add an extra digit to the beginning of a number in a chmod command. Suid uses 4. Sgid uses 2. You can set both at the same time by using 6 (4 + 2). For example, for a file owned by root with current 711 permissions allowing anyone to run it, you can make it run as root with the following:

matthew@seymour:~$ chmod 4711 filename

Files or programs that have suid or guid permissions can sometimes present security holes because they bypass normal permissions. This problem is compounded if the permission extends to an executable binary (a command) with an inherent security flaw because it could lead to any system user or intruder gaining root access. In past exploits, this typically happened when a user fed a vulnerable command with unexpected input (such as a long pathname or option); the command would fail, and the user would be presented with a root prompt. Although Linux developers are constantly on the lookout for poor programming practices, new exploits are found all the time and can crop up unexpectedly, especially in newer software packages that haven’t had the benefit of peer developer review.

Savvy Linux system administrators keep the number of suid or guid files present on a system to a minimum. The find command can be used to display all such files on a system:

matthew@seymour:~$ sudo find / -type f -perm /6000 -exec ls -l {} \;

Note that the programs do not necessarily have to be removed from your system. If your users really do not need to use the program, you can remove a program’s execute permission for anyone. As the root operator, you have to decide whether your users are allowed, for example, to mount and unmount CD-ROMs or other media on your system. Although Linux-based operating systems can be set up to accommodate ease of use and convenience, allowing programs such as mount to be suid might not be the best security policy. Other candidates for suid permission change could include the chsh, at, or chage commands.

An additional setting called the sticky bit is available using this same additional first digit. A sticky bit limits who may rename or delete files within a directory. When it is set, files in that directory may be unlinked or renamed only by a super user, the directory owner, or the file owner. Set the sticky bit to on by using a 1, like this for a directory with 755 permissions:

matthew@seymour:~$ chmod 1755 directoryname

You can set the sticky bit concurrently with suid and sgid, like this (4 + 2 + 1):

matthew@seymour:~$ chmod 7755 directoryname

Setting Permissions with Access Control Lists

POSIX is a family of standards created to maintain stability and consistency across operating systems for UNIX and UNIX-like systems, such as Linux. One important feature of POSIX is the access control list (ACL; often pronounced “AK-el”). ACLs permit even more fine-grained control over access permissions.

By default, all files have an ACL. To view the ACL for a file, use this:

matthew@seymour:~$ getfacl filename

Typical getfacl output includes multiple lines, like this for filename.txt:

# file: filename.txt
# owner: matthew
# group: matthew
user::rw-
group::rw-
other::r--

The information listed here is standard and clear, based on what you already know. The real power of ACLs is that you can add to them. You are not restricted to the standard set of user, group, other. You can add multiple users and groups with permissions specific to each.

To add the user sandra with read, write, and execute permissions to the ACL for a file named secrets.txt, use the following:

matthew@seymour:~$ setfacl -m u:sandra:rwx secrets.txt

To remove and reset sandra’s permissions on the file to the file’s defaults, use the following:

matthew@seymour:~$ setfacl -r u:sandra: secrets.txt

From these two examples, you can see that -m is for modify and -r is for remove.

ACLs permit similar actions with groups and others as with a user. Instead of the u: before the name, use a g: for groups and an o: for others, like this:

matthew@seymour:~$ setfacl -m g:groupname:rwx secrets.txt
matthew@seymour:~$ setfacl -m o:r secrets.txt

Notice that with others, there is no username or group name to include in the commands.

A useful feature is masking, which allows you to list only the permissions that are available, as in this example:

matthew@seymour:~$ setfacl -m m:rx secrets.txt

This limits everyone, regardless of any other settings. So, in this case, a group may have rwx settings on the file, but the mask here says to only permit rx, so rx will be the only settings that are available.

As an exercise, see if you can figure out the meaning of this output from getfacl for a file named coffeecup.conf:

# file: coffeecup.conf
# owner: matthew
# group: yirgacheffe
user::rw-
group::rw-
other::r--
group:qa:rwx
group:uat:rwx
mask::rwx
  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020